US11947667B2ActiveUtilityA1
Preventing ransomware from encrypting files on a target machine
Est. expirySep 13, 2038(~12.2 yrs left)· nominal 20-yr term from priority
G06F 21/554G06F 21/566G06F 2221/034
90
PatentIndex Score
2
Cited by
25
References
20
Claims
Abstract
Techniques for preventing ransomware from encrypting files on a target machine are disclosed. In some embodiments, a system/process/computer program product for preventing ransomware from encrypting files on a target machine includes monitoring file system activities on a computing device; detecting an unauthorized activity associated with a honeypot file or honeypot folder; and performing an action based on a policy in response to the unauthorized activity associated with the honeypot file or honeypot folder.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A system, comprising:
a processor configured to:
monitor file system activities on a computing device;
detect an unauthorized activity associated with a honeypot file or a honeypot folder, wherein the honeypot file is a virtual file generated as a spoofed file system response using a filter driver or the honeypot folder is a virtual folder generated as the spoofed file system response using the filter driver, wherein the virtual file is dynamically generated with a spoofed header, a spoofed time stamp, and a spoofed file size using the filter driver, and wherein the virtual folder is not generated for the spoofed file system in response to legitimate directory activities based on an endpoint agent executing on the computing device determining that a return address associated with a request to access a protected directory is associated with a predetermined set of shell related Dynamic Link Libraries (DLLs);
perform an action based on a policy in response to the unauthorized activity associated with the honeypot file or the honeypot folder; and
a memory coupled to the processor and configured to provide the processor with instructions.
2. The system of claim 1 , wherein the processor is further configured to: perform a stack walk on a user mode part of a file system related request and search for a return address in a stack, and determine whether the return address is associated with at least one of the predetermined set of shell related DLLs.
3. The system of claim 1 , wherein the processor is further configured to:
detect a file open event associated with the honeypot file.
4. The system of claim 1 , wherein the processor is further configured to:
detect a setting file information event associated with the honeypot file.
5. The system of claim 1 , wherein the processor is further configured to:
detect a writing into a file event associated with the honeypot file.
6. The system of claim 1 , wherein the processor is further configured to:
detect an enumerating a directory event associated with the honeypot folder.
7. The system of claim 1 , wherein the processor is further configured to:
generate a plurality of honeypot files and a plurality of honeypot folders.
8. The system of claim 1 , wherein the processor is further configured to:
generate a plurality of honeypot folders.
9. The system of claim 1 , wherein the processor is further configured to:
generate a plurality of honeypot files in the protected directory.
10. The system of claim 1 , wherein the processor is further configured to:
generate a plurality of honeypot folders in the protected directory.
11. The system of claim 1 , wherein the processor is further configured to:
kill a process based on the policy in response to the unauthorized activity associated with the honeypot file or the honeypot folder associated with the process.
12. The system of claim 1 , wherein the processor is further configured to:
generate an alert based on the policy in response to the unauthorized activity associated with the honeypot file or honeypot folder.
13. The system of claim 1 , wherein detect the unauthorized activity associated with the honeypot file or the honeypot folder further comprises:
detect an enumerating directory event on the computing device;
allow a default system behavior if the enumerating directory event is associated with a non-protected directory; and
inject fake start entries if the enumerating directory event is associated with an enumeration at a beginning of the protected directory or inject fake end entries if the enumerating directory event is associated with an enumeration at an end of the protected directory.
14. A method, comprising:
monitoring file system activities on a computing device;
detecting an unauthorized activity associated with a honeypot file or a honeypot folder, wherein the honeypot file is a virtual file generated as a spoofed file system response using a filter driver or the honeypot folder is a virtual folder generated as the spoofed file system response using the filter driver, wherein the virtual file is dynamically generated with a spoofed header, a spoofed time stamp, and a spoofed file size using the filter driver, and wherein the virtual folder is not generated for the spoofed file system in response to legitimate directory activities based on an endpoint agent executing on the computing device determining that a return address associated with a request to access a protected directory is associated with a predetermined set of shell related Dynamic Link Libraries (DLLs); and
performing an action based on a policy in response to the unauthorized activity associated with the honeypot file or the honeypot folder.
15. The method of claim 14 , further comprising: performing a stack walk on a user mode part of a file system related request and searching for a return address in a stack, and determining whether the return address is associated with at least one of the predetermined set of shell related DLLs detecting a file open event associated with the honeypot file.
16. The method of claim 14 , further comprising detecting a file open event associated with the honeypot file.
17. The method of claim 14 , further comprising detecting a setting file information event associated with the honeypot file.
18. The method of claim 14 , further comprising detecting a writing into a file event associated with the honeypot file or detecting an enumerating a directory event associated with the honeypot folder.
19. A computer program product, the computer program product being embodied in a tangible non-transitory computer readable storage medium and comprising computer instructions for:
monitoring file system activities on a computing device;
detecting an unauthorized activity associated with a honeypot file or a honeypot folder, wherein the honeypot file is a virtual file generated as a spoofed file system response using a filter driver or the honeypot folder is a virtual folder generated as the spoofed file system response using the filter driver, wherein the virtual file is dynamically generated with a spoofed header, a spoofed time stamp, and a spoofed file size using the filter driver, and wherein the virtual folder is not generated for the spoofed file system in response to legitimate directory activities based on an endpoint agent executing on the computing device determining that a return address associated with a request to access a protected directory is associated with a predetermined set of shell related Dynamic Link Libraries (DLLs); and
performing an action based on a policy in response to the unauthorized activity associated with the honeypot file or the honeypot folder.
20. The computer program product of claim 19 , further comprising computer instructions for: performing a stack walk on a user mode part of a file system related request and searching for a return address in a stack, and determining whether the return address is associated with at least one of the predetermined set of shell related DLLs.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.